具有多个应用程序的ASP.NET Identity [英] ASP.NET Identity with multiple applications

问题描述

所以我们的组织正在使用asp.net mvc和Web api开发一些新的Web应用程序.我们决定不将活动目录用于身份验证/授权目的，因此看起来带有实体框架的asp.net身份可能有效.

so our organization is developing some new web apps using asp.net mvc and web api. we decided to not use active directory for authentication/authorization purposes so it looks like asp.net identity with entity framework might work.

在查看数据库模式时，我没有看到应用程序表，因此我们可以为用户凭据和应用程序访问提供一个中央存储库.这是索赔的地方吗?看起来如何?用户->应用->角色->权限

looking at the database schema i don't see an applications table so we can have one central repository for user credentials and application access. is this where claims come in? how would that look; user -> app -> role -> permissions

此外，我们的目标之一就是也为用户提供单点登录.新的承载令牌有可能吗?

also, one of our goals is to also provide users with single sign on. is this possible with the new bearer tokens?

感谢您可以提供的任何帮助

thanks for any help you can provide

推荐答案

看一下本教程.它显示了如何使用Web API来实现ASP.NET Identity:

Take a look at this tutorial. It shows how to implement ASP.NET Identity using Web API:

http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/

关于处理多个应用程序.我想到两种方法:

As for dealing with multiple applications. Two approaches that come to mind are:

1. 将AppId附加到所有用户名
2. 在AspNetUsers表中添加AppId列，从UserStore派生并重新实现基于Find的方法，以便查询考虑到AppId

1. Append an AppId to all usernames
2. Add an AppId column to AspNetUsers table, derive from UserStore and re-implement the Find based methods so the queries take into account the AppId

对于#1，当应用程序要创建新用户时，它将向WebApi发送包含新用户信息和AppId的请求.然后，WebApi将连接UserName和AppId以创建将写入数据库的完整用户名.因此，如果应用程序1234要创建用户名为myuser的用户，则WebApi将创建用户名为myuser_1234的新用户.从那时起，在查询数据库时，您将首先从请求中获取UserName和AppId，将它们连接起来，然后查询数据库.

For #1 when the application wants to create a new user it would send a request to the WebApi containing the new user information and an AppId. The WebApi would then concatenate the UserName and AppId to create the complete username that will be written to the database. So, if application 1234 wants to create a user with the username myuser, then the WebApi will create a new user with the username myuser_1234. From that point on when querying the database you would first take the UserName and AppId from the request, concatenate them and then query the database.

如果另一个应用程序9900要创建myuser，则写入数据库的最终用户名将为myuser_9900.

If another application 9900 wants to create a myuser, then the final username written to the database would be myuser_9900.

您可能希望将应用程序详细信息存储在数据库中，并针对每个请求验证AppId，以确保在处理应用程序请求之前识别出该应用程序.

You may want to store the application details in the database and for every request validate the AppId to ensure that you recognise the application before processing its request.

我对步骤2的考虑不多，所以这只是一个建议.

I've not thought much of step #2, so its just a suggestion.

如果要在多个应用程序之间共享用户凭据，则可以忽略上述内容，使用标准功能，并且所有应用程序都指向同一个数据库，因此无论创建哪个应用程序，所有应用程序都可以访问所有用户哪个用户.

If you wanted to share the user credentials across multiple applications, then you could probably ignore the above, go with standard functionality and just have all applications point to the same database therefore allowing all applications to access all users regardless of which application created which user.

更新#1:在这种情况下，可以使用承载令牌，我认为(从内存中获取)上面提到的教程系列涉及到这一点，以及单个WebApi如何为多个应用程序提供令牌.

UPDATE #1: In this instance bearer tokens could be used and I think (going from memory) the tutorial series mentioned above touches on this and how a single WebApi can provide tokens for multiple applications.

这篇关于具有多个应用程序的ASP.NET Identity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！